Code of Practice - Internal Controls
Comments from ACCA
December 2005
ACCA is pleased to comment on the draft Code of Practice on the above. These comments have been put together with the assistance of ACCA members with wide experience of pension scheme matters from a variety of perspectives.
We agree that, given the statutory requirement for schemes to put in place ‘adequate’ internal controls, it will be appropriate for the Regulator to issue a Code of Practice on this issue and for it to have broad application. We also agree that it would be consistent with the legal provision for the Regulator to adopt a proportionate approach when considering whether schemes of different sizes are complying with their obligation on this matter.
The Regulatory Impact Assessment in Chapter 4 of the draft gives the impression that the Regulator expects that the impact of the Code will be minimal – paragraph 9 says that the costs of compliance with the new legal requirement should be neutral, since schemes should already have adequate systems and procedures in place. We suspect, however, that the Regulator may take the view that there are some schemes which do not currently operate with satisfactory controls and that such schemes should be encouraged to improve their procedures in order to become properly compliant. If this is indeed the Regulator’s view, we wonder whether the Code might carry some acknowledgement, early on, that its provisions may, for most schemes, be a re-iteration of practices which they follow already but that other schemes will be expected to review and if necessary change their practices if they wish to be fully compliant.
Our comments on the specific consultation questions are as follows:
Q1 Do you think the proposed risk-based approach to internal controls will achieve the regulator’s objectives?
We favour a risk-based approach. What is ‘adequate’ as regards internal controls will vary in terms of nature and level of complexity depending on the circumstances of the entity concerned.
Q2 Do you agree that the Code should set out a high-level approach for trustees and managers?
In principle, we agree that the Code should be high-level, avoid prescription and leave matters of detail to the discretion and common sense of trustees and managers.
Q3 Do you agree that our definition of internal controls provides a suitable framework to enable trustees or managers to satisfy the requirements of the legislation?
We consider that the passages which define internal controls needs to be tightened up and made more practically useful to those schemes which may not currently have internal controls sufficient to meet the new legal requirements.
Paragraph 4 of the draft Code is, in our view, incomplete. It states that internal controls are arrangements and procedures for administering and managing a scheme, and for monitoring the administration and management of the scheme. We suggest that the section needs to expand on this by explaining what is the purpose of the monitoring function. – this needs to be explained as to provide an appropriate level of assurance that scheme operations are operating within the scheme rules and legal requirements and that scheme assets and interests are being safeguarded.
Further on, in para 11, the draft sets out typical key risk areas and examples of internal control procedures which the Regulator is likely to deem adequate. The examples given omit a number of elementary internal controls which we suggest may be useful to some readers, for example:
| Risk | Possible types of control |
| Fraud | Establishment of appropriate authorisation levels |
| Compliance/regulatory risk | Appropriately designed systems and procedures |
| Computer system and database failures | Should include software development controls and control of physical access to system components (e.g. file servers and terminals) |
| Poor scheme management | Should include controls over the recruitment process and appointment of third party suppliers, planning of key events and monitoring against plans. |
Paragraph 13 also says that trustees and managers should set up adequate controls to enable them to ‘react to‘ significant risks. The emphasis here is substantially incorrect and needs to be revised – it should be made clear that the implementation of adequate controls is about helping trustees and management plan in advance for dealing with certain eventualities, not to help them react to problems after they have occurred.
Q4 Does the Code clearly identify instances where internal control failures may result in a report being made to the Pensions Regulator?
In paragraph 25, the draft states that ‘where there is doubt over the effective stewardship of a scheme, the Regulator would expect to receive a report’. The term ‘doubt’ as used here is unhelpful and in our view inappropriate. The legal test used in determining whether a reporting duty arises is where a specified party has ‘reasonable cause to believe’ (that some legal obligation has been breached). We suggest that specific cross-reference be made to this condition and the weak and vague term ‘doubt’ deleted.